Puppet Server supports the ability to configure certificates from an existing
external CA. This is similar to Ruby Puppet master functionality under a Rack-enabled web server like Apache with Passenger. Much of the existing
documentation on External CA Support for the Ruby Puppet Master
still applies to using an external CA with Puppet Server. However, there are some configuration differences with Puppet Server, which we’ve detailed on this page.

Client DN Authentication

Puppet Server is hosted by a Jetty web server; therefore, Rack-enabled web server configuration is irrelevant. For client authentication purposes, Puppet Server can extract the distinguished name (DN) from a client certificate provided during SSL negotiation with the Jetty web server. This means the web server no longer needs to be configured to use an X-Client-DN request header for client authentication.

That said, the use of an X-Client-DN request header is still supported
for cases where SSL termination of client requests needs to be done on an
external server. See External SSL Termination with Puppet Server for details.

Disabling the Internal Puppet CA Service

If you are using certs from an external CA, you’ll need to disable the internal Puppet CA service. However, the ca setting from the puppet.conf file isn’t honored by Puppet Server, so you’ll disable the service in the bootstrap.cfg file (usually located in /etc/puppetserver/bootstrap.cfg).

To disable the Puppet CA service in bootstrap.cfg, comment out the line following “To enable the CA service…” and uncomment the line following “To disable the CA service…”:

# To enable the CA service, leave the following line uncommented
# puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
# To disable the CA service, comment out the above line and uncomment the line below
puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service

Web Server Configuration

The webserver.conf file for Puppet Server performs a function similar to that of VirtualHost configuration for
a Ruby Puppet master running on an Apache server. Several ssl- settings
should be added to the webserver.conf file to enable the web server to
use the correct SSL configuration: